January 31, 2013

HHS Unveils Final HIPPA Omnibus Rule

In late January, the U.S. Department of Health & Human Services (HHS) issued four final rules, combined to create an omnibus final rule addressing several aspects of patient privacy under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The rules were combined—563 pages—to “reduce the impact and number of times certain compliance activities need to be undertaken by regulated entities.” The new rule will be effective March 26, with a compliance date of Sept. 21. As reported by FierceHealthIT, the rules include:

Modifications to the HIPAA Privacy, Security, and Enforcement Rules mandated by the Health Information Technology for Economic and Clinical Health Act, and certain other modifications to improve the rules, which were issued as a proposed rule on July 14, 2010.

Changes to the HIPAA Enforcement Rule to incorporate the increased and tiered civil money penalty structure provided by the HITECH Act, originally published as an interim final rule on Oct. 30, 2009.

A final rule on Breach Notification for Unsecured Protected Health Information under the HITECH Act, which replaces the breach notification rule’s “harm” threshold with a more objective standard and supplants an interim final rule published on Aug. 24, 2009.

A final rule modifying the HIPAA Privacy Rule as required by the Genetic Information Nondiscrimination Act (GINA) to prohibit most health plans from using or disclosing genetic information for underwriting purposes, which was published as a proposed rule on Oct. 7, 2009.

“Much has changed in healthcare since HIPAA was enacted over 15 years ago," HHS Secretary Kathleen Sebelius said in a statement. "The new rule will help protect patient privacy and safeguard patients' health information in an ever expanding digital age."

According to HHS, contractors, subcontractors and other business associates of healthcare entities that process health insurance claims now will be liable for the protection of private patient information under the updated rule. In addition, monetary penalties for noncompliance with the rule have increased, with a maximum penalty of $1.5 million per violation.

Individual rights are expanded in important ways. Patients can ask for a copy of their electronic medical record in an electronic form. When individuals pay by cash they can instruct their provider not to share information about their treatment with their health plan. The final omnibus rule sets new limits on how information is used and disclosed for marketing and fundraising purposes and prohibits the sale of an individuals’ health information without their permission.

The FDA Law Blog posted an interesting analysis explaining that the new rule places dramatic revisions to marketing practices and research authorizations. For example, previously, “pharmaceutical companies could pay pharmacies to communicate with their patients for the purpose of either reminding patients to refill their prescription (“refill reminders”), or to recommend switching to alternative therapies (“switch communications”).”

The final rule “now requires patient authorization before using protected health information for all paid communications that recommend a product or service to the patient, regardless of whether the purpose is treatment or health care operations.” There are several exceptions, however for:

Refill reminders,

Adherence communications, and

Other communications about a drug or biologic that is currently prescribed for the individual do not require authorization, provided that the payment received by the covered entity is “reasonably related to the covered entity’s cost of making the communication.”

The post explained that “reasonably related” most likely “means the covered entity cannot profit from the communication. If the covered entity receives a financial incentive beyond their cost, they must obtain the patient’s authorization.”

“HHS also clarified that communications about a drug or biologic currently prescribed includes communications about generic equivalents. They also clarified that for self-administered drugs or biologics, communications about the entire drug delivery system, such as an insulin pump are considered communications about the drug itself.”

“This final omnibus rule marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented,” HHS Office for Civil Rights Director Leon Rodriguez said in a statement. “These changes not only greatly enhance a patient's privacy rights and protections, but also strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a health care provider, or one of their business associates.”

In response to the new rules, several healthcare stakeholders expressed concern about the challenges executing them. Todd Richardson , vice president and CIO of Wausau, Wis.-based non-profit health system Aspirus, Inc., told FierceHealthIT that “providers and vendors that use and create electronic health record systems already walk a tight balance between complying with HIPAA and meeting the requirements of the HITECH Act and Meaningful Use regulations.”

“On one hand we have 'protect, protect, protect' and on the other hand we have 'share, share, share,” Richardson said to FireceHealthIT. “While the balance is ‘protect and share,’ the devil is always in the details. The reality is that all of the information is not under the tight control of the covered entity.”

Richardson added that “while all healthcare professionals understand the responsibility to protect patient information, as more systems come online with information, inevitably, there will be more opportunity for data breaches.” Donna Staton, CIO at Warrenton, Va.-based Fauquier Health, noted that the rules “may require a lot of payers and vendors to rethink their positions under reform, where there is already a lot of momentum.” “Patients will definitely see this as an improvement, though, giving them increased control, which supports the goal of improved patient engagement under reform,” she said.

Joseph Kvedar, director of Partners HealthCare's Center for Connected Health in Boston, noted that while privacy is important, “the more privacy we have, the less data liquidity--and that could be a challenge.”

Angela Rose, MHA, RHIA, CHPS, director of health information management practice excellence at the American Health Information Management Association (AHIMA), told Medpage Today that the health information management industry is “breathing a sigh of relief” after the final rule was released, noting that final rules have been anticipated since 2009.

“The final rule ... strengthens patient privacy and security protections that were established under [HIPAA],” said Renae Moch, practice management strategist at the American Academy of Family Physicians in an email. “This rule is presumed to increase workability and flexibility, decrease burden, and better standardize the requirements of the rule for covered entities such as healthcare providers, health plans, or healthcare clearinghouses.”

Impact on Clinical Trials

Analyzing the final rules, RAPs noted that clinical trial sites “will also be exempted from certain requirements, such as those limiting the use of single authorizations ("compound authorizations") for the release of PHI. (Page 175 of the rule).”

“Permitting the use of protected health information is part of the decision to receive care through a clinical trial, and health care providers conducting such trials are able to condition research-related treatment on the individual’s willingness to authorize the use or disclosure of protected health information for research associated with the trial,” DHHS explained in its rule.

These exemptions could prove crucial to companies hoping to use collected data for “corollary research activity,” such as for research databases or repositories used to find common genetic markers or other information used to generate new information on therapies. “However, trial sites will still be prohibited from using compound authorizations for tissue banking purposes, though they can ask for such samples in a separate authorization form or in the same package so long as it is unconditional,” RAPs writes. DHHS suggested the use of separate check boxes and authorization signature lines for entities that wish to simplify the enrollment process.

Impact on EHRs, HIT

FierceHealthIT also noted that the final omnibus rule has a number of important provisions that directly affect electronic health records (EHRs) and related health information technology (HIT), including:

Health information exchanges (which the rule calls health information organizations) and electronic prescribing gateways will be considered business associates and thus directly subject to many of HIPAA's privacy and security provisions. The obligation applies upon creation of the business associate relationship, not when a business associate agreement is signed. A personal health record vendor may or may not be a business associate, depending on the services that the vendor is providing to the covered entity.

Business associate agreements are necessary despite this new direct liability [i.e. EHR vendors that qualify as business associates need to sign these contracts]

A provider does not have to use an EHR to comply with the new rule, but if the provider does use an EHR, patients have the right to obtain copies of their records in electronic format, in a form requested by the patient. If that format is not available, then the format provided shall be as agreed upon by the provider and the patient. The provider can only charge the patient the labor costs involved.

The final rule sets 30 days (down from 60) for providers to provide patients with access to their records, but "encourages" providers to take advantage of their technologies and provide them sooner, considering that the Meaningful Use program contemplates much faster access than 30 days.

“If a covered entity belongs to a HIE, and the HIE suffers a breach, the covered entity is the one obligated to notify patients. However, since multiple covered entities may be involved due the data sharing inherent in an HIE, the covered entities may delegate to the HIE the notification obligation since that way a patient will only receive one notice.”